I think you'll find that Sam Liedl's document regarding policy creation in version 8 will probably go a long way to answering your question:-
It indicates that in certain cirumstances (and I beleive that SSH is one of them) if you use particular 'applications' it will always operate as a proxy, regardless of the application defense you choose to apply to the rule. This, I'm guessing, then means that the Firewall will always try and play an active role in the SSH connections and will therefore try to use its own keys.
I suspect that the only way you are going to be able to pass SSH through the Firewall and not have it get in the way is to create a user-defined application running on port 22 and use this in the rule instead.
I've encountered a few issues when using some of the McAfee-supplied application entries and Tech Support's go-to response is to use a user-defined application entry instead.
Hope that helps.